domain login script

Posted on 2004-10-10
Medium Priority
Last Modified: 2008-01-09
I am currently publishing an application via terminal services.  My current setup has the user's local account specify to "start the following program at logon", which is really just a small batch file that will open up the correct program for them.  This works perfectly for local accounts, but is not scalable.

I am now adding a domain controller and would like to replicate this setup for domain users.  I greated a logical unit and group for the terminal services users that will use my application.  I then setup a group a group policy with the login batch file in it.  For some reason, however, the script is never executed at login.

How can i do this, and, furthermore, i can i replicate my setup for local users with the domain?

Question by:antstrength
  • 4
  • 4
LVL 20

Expert Comment

ID: 12273231
There are numerous ways you should be able to achieve this.Have a look at these:
HOW TO: Automatically Run Programs When Users Log On to Windows 2000 Terminal Services
How To Assign a Logon Script to a Profile for a Local User in Windows 2000

With group policy you need to make sure the relevant users or groups have read and apply permissions for that gpo. You also cannot apply group policy to a group by moving that group to an OU. The users in that group need to be in the OU. You can however filter the application of group policy by using security groups, details contained within this link,
4956 » How do I optimize Group Policy to increase logon performance
Also here's an extremely useful tool for managing and enumerating the results of application of group policy. You'll need either Windows 2003 Server or Windows XP Pro Sp1 client with .net framework installed to run it. It will work within a windows 2000 server domain although is slightly more limited,
Introducing the Group Policy Management Console

Hope that is a helpful start,

Deb :))

Author Comment

ID: 12274368
Thank you Deb for your helpful links on group policy.  I just spent some hours immersing myself in group policy and have had limited success accomplishing my ultimate goal.  Allow me to clarify it.

At the "active directory users and computers" snap-in, i have specified for each user to "start the following program at login".  The program is a small batch file which will open up the program that I am publishing.  When the program is closed, the user is automatically logged out (this is required.)

If a user logs into the terminal server directly, this works perfectly.  If they log into another machine on the domain, the program does not start.  How can i accomplish this?

LVL 20

Expert Comment

ID: 12274857
You could assign this as a login script - so it runs when a user logs on to the domain. Short way to do it:
1) Create a new Organisational Unit in ADUC,
2) Move the users into this new OU
3) Right-click the OU, click properties, and then go to the group policy tab. Click New, to link a new gpo to the the unit, and name it something appropriate.
4) Edit the group policy object - Expand User Configuration, Windows Settings and you'll see scripts (logon/logoff).
5)Double-click logon and it will bring up a new dialog box. Click show files and it will open up the relevant logon script folder for that policy. Paste you script into this folder. It needs to be in here in order to run. Close the folder, then on the scripts dialog box click add, browse and select your script. Then click open, and ok to attach that script as a logon script to that OU.
6) Click apply and then close, so that you come back to the general group policy dialog for that OU (options are new,add,edit,options, delete, properties).
7) Click on properties for that GPO - then click on security. Ensure that the users in this OU have both read and apply group policy permissions on that GPO. You can do this using a security group that the users are a member of.
8) Close, then run the following command from a command prompt -
secedit /refreshpolicy user_policy
This will allow the policy to be replicated. Then test the script by logging in as one of your target users,
How to assign scripts in Windows 2000

Bear in mind that this policy will apply no matter where these users login, unless you specify policy otherwise,

Hope that helps,

Deb :))
The 14th Annual Expert Award Winners

The results are in! Meet the top members of our 2017 Expert Awards. Congratulations to all who qualified!


Expert Comment

ID: 12280116

Adding to what Deb has mentioned, I'm assuming you are requiring users to ONLY be able to use this particular software from their desktop and not be able to run anything else.  Sort of like dumb terminal.  If that is the case, you might want to consider investing in TS Dumb Terminals.  They run for about $100 which is much cheaper than a full PC.

If purchasing new hardware is not an option for you, then consider locking down the PC to a minimum using Group Policy.  Meaning, you could redirect everyone's desktop to one particular desktop on the network \\server\share\desktop, My documents to \\server\share\mydocs, etc.  Also, remove the Run command and set the Group Policy to "Only Allow running the following programs" and add your programs in there.  That will make the PC pointing to the read only desktop which would have an icon for your batchfile to start the application.  That application would be on the list of allowed programs.... you get the point.

If that route sounds applicable to your need and you would like help with setting up the GPO for that, let me know and I'd be happy to help out.


Author Comment

ID: 12284344
I have already locked down the desktop very much so.  Thank you for your suggestion.  This does not address my other problem, though.  I only want the user to see the application, and nothing else.  I also want the user to be logged out when the application closes.  This is how it works if the user is logged on locally to the domain controller, and the "start the following program at login" option is specified.  

If i could just get other machines in the domain to also start the program at login, then problem would be solved.

A possible route i have considered is to write a small vb application that will automatically open correct version of the program (every user has his/her own copy), and specifying it to startup instead of the windows GUI.  This is much more work, though, then if there were an easy way to duplicate the domain controller's login behavior on the other domain computers.

LVL 20

Expert Comment

ID: 12293055

Are you using a terminal services or remote desktop connection only by any chance? It would appear so.  What you are looking for I think requires a bit of manipulation of group policy to achieve in the way that you wish as there is no simple setting in GP to mimic the way that the term services/remote desktop "start following program at logon" facility works (I agree that there should be though). I'll post some links - look for the policy scenario "Highly Managed User" and "TaskStation". I know it references 2003 but it does also apply to 2000. Unfortunately it's not super-simple and will require some testing on your part. Note the GPMC is extremely useful anyway but requires Windows 2003 server or Windows XP SP1 client pc with .net framework installed to run it. It will work on 2000 server domains though and is worth a look as a useful tool for managing group policy if you haven't already come across it.

Introducing the Group Policy Management Console

But if ALL you need is to start the program at logon check out the policy under:
User configuration-Administrative Templates-System-Custom User Interface
It is possible to add the path to your app here ie %programfiles%\yourfolder\yourapp.exe

Worth a try if all you need is to start this program at logon.

Group Policy Common Scenarios Using GPMC
Implementing Common Desktop Management Scenarios with the Group Policy Management Console

You may also look into adding the application to the relevant run keys in the clients registry as another option but lets see how this goes. I do have a vb script that will constantly check for an instance of a running application and log off a user when that app stops but haven't posted it yet as I'm not sure it will help. Let me know if you want it.

Hope that helps a bit!

Deb :))

Author Comment

ID: 12294036
Ahh, i can see where you guys are getting confused.  I am not using the "start following program at logon" that is present on the CLIENT.  I am setting it in ADUC for each user.  It's under the "environment" tab, i think.

For deployment, i'm actually using the activeX control (formerly known as TSAC).

That vb script sounds like it could be an incredible help.  Ideally, it would start the right copy of the program for each user (I need to have a distinct copy for each user), and would be set as the custom GUI.  Got source?

LVL 20

Accepted Solution

Debsyl99 earned 2000 total points
ID: 12297558

Ok - I'm not usually hard of thinking (well not much) - but I am slightly confused with this.

Let me try my understanding of your setup and correct me very clearly where I am getting it wrong!

""I am currently publishing an application via terminal services"" - This application is therefore ONLY available through login to a terminal server then?

""My current setup has the user's local account specify to "start the following program at logon", which is really just a small batch file that will open up the correct program for them.  This works perfectly for local accounts, but is not scalable.""

Presumably you mean either local accounts on your terminal server as opposed to domain accounts or actually physically logging on locally to the server.

So a user logs on to a pc on the domain and gets the usual desktop etc for that pc that's a member of the domain. Do you want the users when logging on to the domain to go directly to your terminal server application ie bypass their local desktop, or do you want them to just be able to double click a remote desktop connection that will take them into that terminal server application directly once they've logged on and of course off the terminal server once they've closed the app?

It sounds like you want to bypass the desktop maybe - let me know,

The script - sample script off the web actually (sorry lost the link) - you'd need to adapt it, and it needs a .vbs extension - but let me know what you want first,

MsgBox "After you close all occurrences of Notepad, " _
              & "you will be logged out"

' task to check
sTask = "notepad.exe"

' The tree following lines is just for test.
Set oShell = CreateObject("WScript.Shell")
' start task
oShell.Run sTask

Set oWmi = GetObject("winmgmts:")

' Waiting for task to disappear
Do While True
  sWmiq = "select Name from Win32_Process where name='" & sTask & "'"
  Set oQResult = oWmi.Execquery(sWmiq)

  If oQResult.Count = 0 Then
    ' use "." for local computer
    ' call ShutDown sub
    ' Use "Logoff_Force" for a forced logoff
    ShutDown ".", "Logoff"
    Exit Do
  End If
  ' 0.5 seconds pause
  WScript.Sleep 500

Sub ShutDown(sNode, sCmd)

  Const EWX_LOGOFF = 0
  Const EWX_SHUTDOWN = 1
  Const EWX_REBOOT = 2
  Const EWX_FORCE = 4
  Const EWX_POWEROFF = 8

  Set oWMI = GetObject("winmgmts:" _
     & "{impersonationLevel=impersonate,(Shutdown)}!\\" _
     & sNode & "\root\cimv2")

  Set colOperatingSystems = oWMI.ExecQuery _
     ("Select * from Win32_OperatingSystem")
  For Each obj in colOperatingSystems
    Set oOS = obj :  Exit For

  sCmd = LCase(sCmd)

  Select Case sCmd
    Case "logoff"
      iCmd = EWX_LOGOFF
    Case "logoff_force"
    Case "shutdown"
      iCmd = EWX_SHUTDOWN
    Case "shutdown_force"
    Case "reboot"
      iCmd = EWX_REBOOT
    Case "reboot_force"
    Case "poweroff"
      iCmd = EWX_POWEROFF
    Case "poweroff_force"
    Case Else
      ' Default value
      iCmd = EWX_POWEROFF
  End Select

  oOS.Win32shutdown iCmd
End Sub

Deb :))


Author Comment

ID: 12299984
Thank you for all your help.  I will modify that script to do exactly what i need.  All of the users in question are logging onto my terminal servers via their own unmanaged machines.  What i have done in the past is to create regular, local accounts on each of my terminal servers.  I am now moving the terminal servers to a domain, and that is why i am trying to replicate the process of logging in locally via terminal services with a domain.

Featured Post

Free Tool: Path Explorer

An intuitive utility to help find the CSS path to UI elements on a webpage. These paths are used frequently in a variety of front-end development and QA automation tasks.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

NTFS file system has been developed by Microsoft that is widely used by Windows NT operating system and its advanced versions. It is the mostly used over FAT file system as it provides superior features like reliability, security, storage, efficienc…
Fix RPC Server is unavailable Error in Exchange 2013, 2010, 2007, and 2003 Server. Different reason can such as network connectivity issue, name resolution issue, firewall, registry corruption that lead to RPC Server Unavailable error.
Hi, this video explains a free download that you can incorporate into your Access databases, or use stand-alone for contact management. Contacts -- Names, Addresses, Phone Numbers, eMail Addresses, Websites, Lists, Projects, Notes, Attachments…
From store locators to asset tracking and route optimization, learn how leading companies are using Google Maps APIs throughout the customer journey to increase checkout conversions, boost user engagement, and optimize order fulfillment. Powered …

568 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question